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A Method for Preventing Ethernet from Being Attacked 

Cross Reference to Related Applications 

This application is a National Phase Patent Application of International 
A pplication Number PCT/CN2004/Q00997. filed on August 27, 2004. which claims 
priority of Chinese Patent Application Number 200310103400.7, filed on October 30, 
2003. 

Field of the Technology 

The invention relates to network security, in particular to a method for preventing 
Ethernet fi-om being attacked. 

Background of the Invention 

At present, destruction of network virus becomes more and more diversified and 
many new destructive methods appear. Attack to network reliability is one kind of 
these new destructive methods. The purpose of this kind of attack is not to steal 
information, but to attack network devices targeting on security vulnerabilities in 
networks and destroy normal network communication. Consequently, network 
paralysis will be caused and more losses will be brought to users. The attack to 
Ethemet is a familiar mode of this kind of attack. 

In conventional networks, Ethemet is mostly used in an inner network which is 
considered to be very safe. Therefore, network security precaution tactics are set only 
at the exits of the inner network, but not within it. At the same time, because of 
diflFerent users existing in the inner network, it is impossible for a network 
management department to monitor and control the network usage of each user within 
the inner network. Thus, with continuous development of new destructive methods 
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caused by computer virus and increase in application of middle and low end network 
products which are easy to be attacked, attacks to Ethernet become easier and easier. 
In addition, with the rise of broadband and popularization of new-style services, 
Ethemet is applied in outer networks relative to the network management department 
more frequently, for example a broadband cell that is accessed by means of an 
Ethemet. In such a case, Ethemet is easier to be attacked. 

For users that communicate with others through Ethemet, once Ethemet is 
attacked and network paralysis occurs, there will be massive losses which are in direct 
proportion to the paralysis time even if no valuable data is lost; for companies which 
operate business based on Ethemet, such loss is more serious than losing data. 

In Ethemet, the address of a host is identified by a Media Access Control (MAC) 
address. When data is transmitted, a destination MAC address and a source MAC 
address need to be carried in a data packet. Ethemet conmiunication device, such as 
switch, determines a forwarding port for the data packet by the MAC address 
information. At present, forwarding data packets in switch is based on MAC address 
learning mechanism. As shown in figure 1, taking the MAC address of PC 1 as MAC 
1, and the MAC address of PC 2 as MAC 2, when receiving a data packet transmitted 
by PC 1, the switch records the MAC address information carried in the data packet 
and the information of the port which receives the data packet, namely, it establishes a 
map between MAC 1 and Port 1. Similarly, a map between MAC 2 and Port 2 is 
established. In this way, the switch can establish a map between the MAC address 
information of each host and its associated port information, and store this map in a 
MAC table. As shown in figure 1, there are two entries in the MAC table in which 
MAC 1 associates with Port 1 and MAC 2 associates with Port 2. When receiving a 
data packet needed to be transmitted to PC 1, the switch firstly searches the 
corresponding Port 1 in the MAC table according to the MAC address MAC 1 of PC 
1, then transmits the data packet to PC 1 via Port 1 . 

There is no authentication mechanism in the above-mentioned MAC address 
learning process, so some malicious users may attack a single user in Ethemet or 
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whole Ethernet. This kind of attack may be implemented through MAC address 
cheating or MAC address bombing. 

Figure 2 schematically illustrates an attack process through MAC address 
cheating. As shown in figure 2, if the user of PC 2 is a malicious user and plans to 
attack PC 1, he may transmit a data packet carried with MAC 1 in source MAC 
address field fi^om PC 2. Then, the switch will implement a leaming process to 
establish a map between MAC 1 and Port 2. That is, after this leaming process, the 
map between MAC 1 and Port 1 in the switch's MAC table will transfer to the map 
between MAC 1 and Port 2 Therefore, all the data packets to be sent to PC 1 will be 
transmitted to Port 2 and then to PC 2, resulting in PC 1 failing to receive the data 
packets normally. If the malicious user adopts the same method to attack multiple 
hosts and even all hosts in Ethernet, the whole Ethernet will be close to paralysis. 

Besides the above-mentioned MAC address cheating, malicious users can attack 
Ethernet through MAC address bombing. For example, malicious users can 
continually send data packets with varying source MAC addresses fi^om PC 2, e.g., the 
MAC address in the first data packet is MAC 1, the MAC address in the second data 
packet becomes MAC 3 and the MAC address in the third data packet is changed to 
MAC 8. Thus the switch needs to update the MAC table after receiving each data 
packet with different source address, and the MAC table of the switch will be in an 
unstable state. If the source MAC address carried in these data packets is the true 
address of a network device in Ethemet, this network device cannot communicate 
normally. This method is usually used by viruses to implement MAC bombing to 
whole Ethemet through the hosts which are infected by viruses, thereby destroying 
normal operations of the whole Ethemet. 

To avoid above attacks to Ethemet, it is popular for a switch to bind host MAC 
address with a switch port, that is, if establishing a fixed map between a port and a 
MAC address, the switch no longer needs to learn any dynamic MAC address. Thus 
the map between the MAC addresses and the ports will not be changed for receiving a 
new data packet, and the MAC table becomes a fixed mapping table. In this way, 
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attacks such as MAC address cheating or MAC address bombing will be avoided 
effectively. 

However, this kind of binding relationship needs to be configured in a switch by a 
network administrator according to the fixed network connection, and once the 
configuration is accomplished, the network will be in a fixed mode. A new computer 
or other legal Ethernet devices can not communicate when they are connected to the 
network, a computer with a changed Ethemet Network Interface Card (NIC) can not 
communicate because of different MAC addresses, and a computer moved from one 
place to another can not commvmicate because of the change of connection port. 
That io, under the ciroumstoncoa of tho port or the MAC addr e ss changing in any 
n e twork device in the whol e Eth e met, a network administrator has to modify th e 
configuration of the exchang e in time, which brings inoonv e nionco to tho entir e 
n e twork maint e nanc e and increases network maintenance coat. 

Summary of the Invention 

In view of this, on object of tho invention is to provide a method for preventing 
Ethemet from being attacked, which can simplify configuration of th e map between 
th e hardwar e addresses and th e ports, improve eonv e nionoo and flexibility of network 
manag e m e nt and decreas e network maintenance cost under tho circumstances of 
ensuring network security of Ethemet. 

The present invention provides a method for preventing Ethemet from being 
attacked, comprising the steps of: 

establishing and storing a fixed map between a port and a hardware address of a 
terminal device, then forwarding a data packet according to the fixed map after an 
Ethemet communication device detects a new connection between the port and the 
terminal device and receives a data packet from the terminal device; and 

deleting the fixed map after the Ethemet communication device detects a 
disconnection between the port and the terminal device. 
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Tho m e thod may further compriso: after roooiving th e data poolcot from th e 
terminal d e vic e , judging wh e th e r th e fixed map hao b e en e stablished; if ao, dir e ctly 
forwarding th e data pack e t; oth e rwis e , e stablishing and storing tho fixed map between 
tho port and the hardware address of tho terminal device. Her e , tho step of directly 
forwarding tho data packet compris e s the stop of judging whether the hardwar e 
address carri e d in tho data packet is consist e nt with the hardware address 
corresponding to th e port in said fixed map; if so, forwarding tho data packet 
according to a conventional forwarding prooossing; otherwis e , discarding th e data 
packet. After discarding the data packet, tho method may fiirthor compriso the stops of 
recording tho judgment resxilt in a log and informing a n e twork administrator. 

Tho hardware address may bo a Media Access Control (MAC) address. 

Dotooting the n e w connection or the disconn e ction between th e t e rminal device 
and tho port may bo implem e nted by detecting physical signals in th e port. 

The Ethernet communioation device may b e a two layer switch, a throe lay e r 
switch, a firewall device or an Ethern e t bridge. And tho terminal d e vice may be a 
p e rsonal computer, a s e rv^ e r or an IP telephon e s e t. 

Tho fixed map is stor e d in a hardware address table of th e Ethcmet 
communication devic e . 

It can be seen from the technical solution above, when a terminal device is 
connected to an Ethernet conmiunication device and transmits a data packet, the 
Ethernet commimication device leams the hardware address of the port to establish a 
map between the hardware address of the terminal device and the port. After the 
terminal device is disconnected from tfie Ethemet conmitmication device, the Ethemet 
communication device will delete such map, and when the terminal device is 
connected to the port once again or a new terminal device is connected to the port, the 
commvmication device will re-establish a map through learning between the hardware 
address of the terminal device or that of the new terminal device and the port. 
Compared with the prior art in which a fixed mapping table is established and entries 
in the table are modified manually by a network administrator, the present invention 
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will automatically delete the old map and establish a new map, thus brings more 
convenience to network administrators, improves network maintenance efficiency and 
decreases maintenance cost. 

In addition, compared with the circumstance in which the hardware address table 
is updated frequently, in the present invention, once the hardware address table is 
established, the map of the port in the hardware address table is relatively fixed and 
will not be changed after each reception of data packet, unless disconnection between 
the terminal device and the conmiunication device is detected. By the invention, MAC 
address cheating and MAC address bombing can be avoided effectively, risk of 
attacks to Ethernet is decreased and security and reliability of network is improved. 

Brief Description of the Drawings 

Figure 1 is a schematic diagram illustrating a MAC learning mechanism in IP 
Ethernet; 

Figure 2 is a schematic diagram illustrating an attack process of MAC address 
cheating in Ethernet; 

Figure 3 is a schematic flow chart illustrating the entire process according to an 
embodiment of the invention. 

DetaUed Description of the Invention 

Now, an embodiment of the present invention will be described in detail 
hereinafter with reference to accompanying drawings. 

In Ethernet, all data packets to be forwarded come from user devices in a user 
layer of a network. The user devices include Ethernet terminal devices such as PCs, 
servers, IP telephone sets and so on, and switch which is in access layer connect these 
user devices together. Each of the Ethernet terminal devices has respective MAC 
addresses which usually do not change, i.e., the MAC address of each port at the 
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switch usually does not change, unless the MAC addresses corresponding to the 
switch ports may change only vmder the circumstances of the entire terminal device 
being replaced, the PC network NIC being changed or the terminal device being 
moved with a long distance, under which physical connection between the terminal 
device and the switch needs to be disconnected. The present embodiment applies a 
learning mechanism to the switch, and determines whether the MAC table needs to be 
updated by detecting whether the physical connection between the terminal device 
and the switch is cut off through detection of physical signals, thus can prevent 
Ethemet from being attacked by malicious users through MAC address cheating or 
MAC address bombing, and overcome the disadvantages of system maintenance 
inconvenience and high maintenance cost induced by the fixed MAC table. 

Figure 3 is a general flow chart according to an embodiment of the invention. 
Now, the embodiment of the present invention will be described in detail hereinafter 
with reference to figure 3. 

After establishing a connection between an Ethemet user device and a switch 
port, in step 301, the switch receives a data packet from the terminal device. 

,hi step 302, after receiving a data packet from the terminal device on a port, the 
switch judges whether the mapping between the MAC address carried in the data 
packet and the switch port has been established in a MAC port map based on MAC 
address leaming process. If there is no entry in the MAC table for fliis terminal device, 
step 303 will be executed; otherwise, step 305 will be executed. 

In step 303, the switch port implements MAC address leaming process, i.e., 
establishes the map between the terminal device and the switch port. 

In step 304, the data packet is forwarded according to the conventional 
forwarding processing. 

In step 305, it is determined whether the source MAC address in the data packet 
is the same as the MAC address corresponding to the port in the MAC table. If they 
are the same, it indicates that the terminal device from which the data packet comes 
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has the MAC address corresponding to the port in the MAC table, and step 304 will 
be executed. Otherwise, it indicates that the data packet is probably transmitted from a 
spxirious MAC address by a malicious user, and step 306 in which the data packet is 
discarded will be executed. After it is judged that the two MAC addresses are 
inconsistent and the data packet is discarded, the occurrence of the inconsistency can 
be further recorded in a log and reported to the network administrator. 

Forwarding data packet can be accomplished through the above-noted steps. 
Then in step 307, the switch judges whether the terminal device connected to the port 
is disconnected. If so, in step 308, the switch deletes the entry associated with the port 
in the current MAC table, i.e. deletes the map between the port and the MAC address 
of the current terminal device, then the current processing ends. If the port is once 
again connected with a terminal device, such as another terminal device, the same 
terminal device with a changed NIC, or the same terminal device with the same NIC, 
the processing flow of the embodiment will be restarted, i.e. the map between the port 
and the MAC address of the terminal device connected to the port will be 
re-established. If the connection is not cut off, step 301 and its following steps will be 
repeated. 

In the embodiment, whether the connection is established between the terminal 
device and the port is judged by detecting physical signals in the port. Specifically, 
after a connection between the terminal device and the port is established and the 
terminal device is initiated, the switch can detect a high level on the port, this 
indicates the terminal device has been initiated. When the connection between the 
terminal device and the port is cut off, including the circumstance in which the power 
of the terminal device is broken, the switch can detect a low level on the port, this 
indicates the terminal device has broken the connection with the switch port, and the 
switch will delete the entry associated with this port in the MAC table. 

In this embodiment of the present invention, the map between the MAC address 
of the terminal device and the switch ports is established based on MAC address 
learning mechanism, in such a way that the disadvantages of low maintenance 
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efficiency and high cost induced by fixed binding of the MAC address information 
and the ports are overcome. And, as long as the connection between the terminal 
device and the port is not cut off, the entry associated with the port in the MAC 
address table will not be modified, therefore, running a software for fabricating MAC 
addresses in a PC will not affect the MAC table in the switch, and thus MAC address 
cheating or MAC address bombing and the like can be avoided. Therefore, with the 
embodiment, through dynamic binding of the terminal devices and the ports, security 
and reliability of network is improved, network maintenance efficiency is increased 
and maintenance cost is decreased. 

It will be understood by one skilled in the art that the switch can be a two-layer 
switch or a three-layer switch, and this embodiment is not limited to switches, but can 
be any communication device, such as a firewall device or an Ethernet bridge based 
on MAC address leaning mechanism. 

While this invention has been particularly shown and described with reference to 
an exemplary embodiment thereof, it will be understood by those skilled in the art that 
various changes in form and details may be made therein without departing from the 
spirit and scope of the invention as defined by the appended claims. 
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Abstract 

A method for preventing Ethernet from being attacked is provided. The method 
comprises the steps as follows: after detecting a new connection between a port and a 
terminal device and receiving a data packet from the terminal device, an Ethemet 
communication device establishing and storing a fixed map between the port and a 
hardware address of the terminal device, then forwarding the data packet according to 
the fixed map; after detecting a disconnection between the port and the terminal 
device, the Ethemet conmiimication device deleting the fixed map. 
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